Systemic issues and breach reporting: prevention beats cure

9 minute read 15.10.2025 Edwina Star

An ounce of prevention and transparency beats a pound of cure. Swift, candid breach reporting protects reputation, avoids penalties, and keeps your organisation ahead of ASIC’s 30-day deadline.

The Australian Securities and Investments Commission (ASIC) has sharpened its focus on systemic compliance issues and breaches, recognising that these failures can severely damage consumer trust and the financial system’s stability. ASIC has signalled it will target patterns of non-compliance, especially those that indicate deeper governance, controls, or systems deficiencies.

Since the post-Royal Commission changes in October 2021, licensees have been required to report significant incidents or investigations to ASIC within 30 days (and more recently 90 days for certain breaches). The revised regime was designed to address delays in communicating serious issues to regulators. Although numerous organisations have experienced a marked rise in reportable breaches following recent regulatory changes, ASIC has observed that submitted breach reports are only significantly below anticipated levels.

Proactive compliance isn’t just about avoiding fines, it’s about maintaining the social licence to operate”

What does this mean?

Full implications of the changes were not initially acknowledged: Although the 2021 amendments appeared minor on the surface, they have resulted in substantial impacts on processes, resource allocation, and timelines, which were often not matched by corresponding system updates. Additionally, the number of events or issues requiring reporting has grown, increasing the resources needed for effective monitoring, management, and reporting activities. This has largely been due to the deemed significance, and therefore reportability, of the large number of general licensee obligations that attract civil penalties, even where the number of affected customers is relatively low.
Breaches can arise from various channels, especially complaints: Large organisations receiving thousands of complaints face challenges, but if a complaint indicates harm to one or multiple customers, it may qualify as a regulatory breach. Hence 'connecting the dots' and getting complaints in the breach assessment process is important but, increasingly difficult given the way complaints are managed and recorded.
Non-compliance is costly: Recent enforcement actions demonstrate that failure to report can lead to substantial penalties, legal costs, reputational damage and personal liability for directors and executives. In short, ignoring or downplaying systemic issues is far more costly than investing proactively in robust compliance.
Expectation of proactive identification and reporting: Quietly fixing issues in-house is no longer acceptable. ASIC expects organisations to have mechanisms, resourcing, capability, and systems in place to detect, assess and report breaches or misconduct swiftly. Delays or omissions in reporting may be viewed as indicative of a broader compliance culture problem. Timely reporting may not grant immunity, but it does demonstrate a degree of transparency and cooperation which can influence regulatory responses.
Systemic failures reflect governance gaps: Repeated or widespread issues often signal areas where internal controls or risk management processes have broken down. If the regulator uncovers an issue before it is identified internally, they may review the effectiveness of the organisation’s compliance and governance frameworks. If a process consistently malfunctions, ASIC will infer that Management and the Board have not put adequate controls in place. For boards and executives, it is helpful to treat every significant incident as a key indicator of organisational compliance health.
False statements compound legal exposure: Providing false or misleading information to regulators, whether by omission or commission, undermines trust and is itself a breach of the law. Under the Corporations Act, giving false or misleading statements to ASIC is unlawful, and ASIC has shown it will pursue this vigorously. For organisations, this means absolute accuracy in any regulatory filings or breach notices is critical. Ensure any reports to ASIC (and communications to customers) are double-checked for completeness. If an error is discovered after submission, it should be corrected immediately to demonstrate good faith. It’s far better to say “we’re investigating X and will update further” than to omit or downplay information.
Regulators are watching and so are others: Regulators are not the only audience. External dispute resolution bodies, industry code compliance committees, the media, consumers, politicians and shareholders are watching and increasingly demanding higher standards of conduct. A single breach can quickly erode customer trust and shareholder confidence. Proactive compliance isn’t just about avoiding fines, it’s about maintaining the social licence to operate. Boards members should question: 'What would happen if our handling of this issue was on the front page of the newspaper?' If that thought makes you cringe, then the issue needs more attention now, before it escalates. This trend is also evident through ASIC's decision to publish a public-facing dashboard containing Internal Dispute Resolution (IDR) data, coming into effect in October 2025. This impending change will also bring increased scrutiny on sensitive data points such as complainant privacy, data comparisons and explanatory material to support contextualisation.

In addition, AFCA is increasingly issuing "Potential Systemic Issue" or "PIC" notices where it believes one or more complaints have raised a potentially systemic issue. Addressing PICs is a time and resource-consuming exercise and can often present the additional challenges of arising from fact patterns unique to the dispute in question or from perceived breaches of the general fairness principles within AFCA's mandate, which is inherently wider than black-letter law.

The implications are clear: risk and compliance must be top-of-mind for leadership, not a back-office afterthought. ASIC’s focus on systemic breaches effectively translates to an expectation that companies know what’s happening in their organisations at all times and respond swiftly to any sign of trouble. Those who fall short can expect little sympathy and swift action from regulators.

What should risk and compliance professionals, executives, and directors do now?

Embed a Compliance-First Culture: Culture is the foundation. Senior leadership must promote a culture where ethical conduct and compliance are non-negotiable. Staff should understand compliance expectations and feel responsible and valued for escalating issues. Reinforce this through regular messaging from the CEO and Board, incorporating compliance metrics into performance evaluations, and celebrating examples of issues identified and addressed properly.